Andreeva, E.
, Bouillaguet, C.
, Dunkelman, O.
, Fouque, P.
, Hoch, J.
, Kelsey, J.
, Shamir, A.
and Zimmer, S.
(2015),
New Second-Preimage Attacks on Hash Functions, Journal of Cryptology, [online], https://doi.org/10.1007/s00145-015-9206-4, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=918851
(Accessed December 15, 2024)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
New Second-Preimage Attacks on Hash Functions
Published
Author(s)
Elena Andreeva, Charles Bouillaguet, Orr Dunkelman, Pierre-Alain Fouque, Jonathan J. Hoch, , Adi Shamir, Sebastien Zimmer
Abstract
In this work, we present several new generic second-preimage attacks on hash functions. Our first attack is based on the herding attack and applies to various Merkle-Damgard-based iterative hash functions. Compared to the previously known long-message second-preimage attacks, our attack offers more flexibility in choosing the second-preimage message at the cost of a small omputational overhead. More concretely, our attack allows the adversary to replace only a few blocks in the original target message to obtain the second preimage. As a result, our new attack is applicable to constructions previously believed to be immune to such second-preimage attacks. Among others, these include the dithered hash proposal of Rivest, Shoup's UOWHF, and the ROX constructions. In addition, we also suggest several time-memorydata tradeoff attack variants, allowing for a faster online phase, and even finding second preimages for shorter messages. We further extend our attack to sequences stronger than the ones suggested in Rivest's proposal. To this end we introduce the kite generator as a new tool to attack any dithering sequence over a small alphabet. Additionally, we analyse the second-preimage security of the basic tree hash construction. Here we also propose several second-preimage attacks and their time-memory-data tradeoff variants. Finally, we show how both our new and the previous second-preimage attacks can be applied even more efficiently when multiple short messages, rather than a single long target message, are available.Citation
Journal of Cryptology
Pub Type
Journals
Download Paper
Keywords
Cryptanalysis, Hash function, Dithering sequence, Second-preimage attack, Herding attack, Kite Generator
Citation
Issues
If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.
Created June 22, 2015, Updated October 12, 2021